Nematodes, often called "anti-worms" or "beneficial worms", are a controversial topic. They involve exploiting the same vulnerabilities used by malicious worms, but, rather than installing malware or being used to form a botnet, nematodes attempt to disinfect and patch the vulnerable host. In some variants, nematodes also try to perform some kind of beneficial action, such as compressing files, or reporting illegal content to law enforcement.
Despite being brought up a few times in previous talks and papers, nematodes remain largely on the fringes of the security community's consciousness. Perhaps part of the reason for this is the demise of traditional network worms – after all, it's not 2004 any more – and perhaps, for good reason, most people think the idea usually doesn't work in practice, or has significant legal implications. However, there has recently been a trend of wormable vulnerabilities which utilise rather different mediums – such as WiFi (Broadpwn), Bluetooth (BlueBorne), light (smart lightbulbs), RFID tags, and more - and, of course, a huge number of wormable vulnerabilities in a wide range of IoT devices. The rise of these, and the fact that IoT security issues are not easily resolvable with patching, antivirus solutions, and other security mechanisms, may make it worth re-opening the nematode debate.
In this talk, I'll consider whether it actually is worth doing so, given that we could be on the threshold of an era involving new and devastating types of worms. Along the way, I'll cover the history of nematodes and take a journey back in time with some 'digital paleovirology', starting with the murky history of Creeper, Reaper and PERVADE in the 1970s, then moving on to Brain and Denzuko in 1986; ADM and Max Vision in 1998; PolyPedo in 2001; the 'worm wars' of 2003-2004; and right up to the present day battles between IoT botnets such as Mirai with IoT nematodes such as Hajime and Brickerbot.
I'll also cover the legal and ethical issues posed by nematodes; the challenges and benefits they can bring; and will present some demos of custom nematodes. These include custom-developed worms and corresponding nematodes for both a recent web application vulnerability and an IoT device, and an improved and updated alternative to the PolyPedo worm. I'll also discuss 'Antidote', an in-progress and experimental modular framework for deploying and configuring anti-worms based on recent exploits and attack techniques. Finally, I'll outline some ideas for future research in this area.